关于假名化的012025号指南- Guidelines 012025 on Pseudonymisation

Adopted-versionforpublicconsultation1

Guidelines01/2025onPseudonymisationAdoptedon16January2025

Adopted-versionforpublicconsultation3

EXECUTIVESUMMARY

TheGDPRdefinestheterm‘pseudonymisation’forthefirsttimeinEUlawandreferstoitseveraltimesasasafeguardthatmaybeappropriateandeffectiveforthefulfilmentofcertaindataprotectionobligations.

Asperthatdefinition,pseudonymisationcanreducetheriskstothedatasubjectsbypreventingtheattributionofpersonaldatatonaturalperson

s1

inthecourseoftheprocessingofthedata,andintheeventofunauthorisedaccessoruse.

Applyingpseudonymisation,controllerscanthusretaintheoptiontoanalysethedata,and,optionally,tomergedifferentrecordsrelatingtothesameperson.Pseudonymisationcanalsoandoftenwillbesetupsothatitispossibletoreverttotheoriginaldata.Thus,controllerscanprocesspersonaldatainoriginalforminsomestagesoftheprocessing,andinpseudonymisedforminothers.

Pseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,istobeconsideredinformationonanidentifiablenaturalperson

,2

andisthereforepersonal.Thisstatementalsoholdstrueifpseudonymiseddataandadditionalinformationarenotinthehandsofthesameperson.Evenifalladditionalinformationretainedbythepseudonymisingcontrollerhasbeenerased,thepseudonymiseddatacanbeconsideredanonymousonlyiftheconditionsforanonymityaremet.

TheGDPRdoesnotimposeageneralobligationtousepseudonymisation.Theexplicitintroductionofpseudonymisationisnotintendedtoprecludeanyothermeasuresofdataprotection(Rec.28GDPR).Itistheresponsibilityofthecontrollertodecideonthechoiceofmeansformeetingitsobligationshavingregardtotheaccountabilityprinciple.Dependingonthenature,scope,contextandpurposesofprocessing,andtherisksinvolvedinit,controllersmayneedtoapplypseudonymisationinordertomeettherequirementsofEUdataprotectionlaw,inparticularinordertoadheretothedataminimisationprinciple,toimplementdataprotectionbydesignandbydefault,ortoensurealevelofsecurityappropriatetotherisk.Insomespecificsituations,UnionorMemberStatelawmaymandatepseudonymisation.

TheriskreductionresultingfrompseudonymisationmayenablecontrollerstorelyonlegitimateinterestsunderArt.6(1)(f)GDPRasthelegalbasisfortheirprocessingprovidedtheymeettheotherrequirementsofthatsubparagraph;contributetoestablishingcompatibilityoffurtherprocessingaccordingtoArt.6(4)GDPR;orhelpguaranteeanessentiallyequivalentlevelofprotectionfordatatheyintendtoexport.

Finally,thecontributionofpseudonymisationtodataprotectionbydesignanddefault,andtheassuranceofalevelofsecurityappropriatetoriskmaymakeothermeasuresredundant–eventhoughpseudonymisationalonewillnormallynotbeasufficientmeasureforeither.

Controllersshouldestablishandpreciselydefinetheriskstheyintendtoaddresswithpseudonymisation.Theintendedreductionofthoserisksconstitutestheobjectiveofpseudonymisationwithintheconcreteprocessingactivity.Controllersshouldshapepseudonymisationinawaythatguaranteesthatitiseffectiveinreachingthisobjective.

1Foradefinitionofwhatitmeanstoattributedatatoanaturalpersonsee

paragraph17.

Preventionofattributiondoesnotimplyanonymityofthedata.

2Rec.26GDPR.

Adopted-versionforpublicconsultation4

Controllersmaydefinethecontextinwhichpseudonymisationistoprecludeattributionofdatatospecificdatasubjects.Thiscontextwillbecalledthepseudonymisationdomainintheseguidelines.Thepseudonymisationdomaindoesnothavetobeall-encompassing,butmayberestrictedtodefinedentities,mostoftentothesetofallauthorisedrecipientsofthepersonaldatathatwillprocessthedataforagivenpurpose.Theeffectivenessofpseudonymisationintheimplementationofdata-protectionprinciplesorintheassuranceofalevelofsecurityappropriatetotheriskishighlydependentonthechoiceofthepseudonymisationdomainanditsisolationfromadditionalinformationthatallowstheattributionofpseudonymiseddatatospecificindividuals.

Thus,pseudonymisationisasafeguardthatcanbeappliedbycontrollerstomeettherequirementsofdataprotectionlawand,inparticular,todemonstratecompliancewiththedataprotectionprinciplesinaccordancewithArt5(2)GDPR.Theseguidelineswillhelpcontrollerstochooseeffectivetechniquesforthemodificationoforiginaldata,toprotectpseudonymiseddatafromunauthorisedattribution,andtomanageuserrightswhenprocessingpseudonymiseddata.

Controllersmustalwaysbearinmindthatpseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,remainsinformationrelatedtoanidentifiablenaturalperson,andthusispersonaldata(Rec.26GDPR).Therefore,theprocessingofsuchdataneedstocomplywiththeGDPR,includingtheprinciplesoflawfulness,transparency,andconfidentialityunderArt.5GDPR,andtherequirementsofArt.6GDPR.Controllersmustmaintainanappropriatelevelofsecuritybyimplementingfurthertechnicalandorganisationalmeasures.Finally,controllersmustensuretransparency,andneedtofacilitatetheexerciseofthedatasubjectrightssetoutinChapterIIIoftheGDPR,unlesstheexceptionprovidedforinArt.11(2)and12(2)GDPRapplies.

Adopted-versionforpublicconsultation5

TableofContents

Executivesummary 3

1Introduction 7

2Definitionsandlegalanalysis 9

2.1Legaldefinitionofpseudonymisation 9

2.2Objectivesandadvantagesofpseudonymisation 10

2.2.1Riskreduction 10

2.2.2Analysisofpseudonymiseddataandplannedattribution 11

2.3Pseudonymisationdomainandavailablemeansforattribution 12

2.4Meetingdata-protectionrequirementsusingpseudonymisation 13

2.4.1Pseudonymisationasaneffectivemeasurefordataprotectionbydesignandbydefault 13

2.4.2Ensuringalevelofsecurityappropriatetotherisk 15

2.4.3Pseudonymisationasasupplementarymeasureforthirdcountrydatatransfers 16

2.5Transmissionofpseudonymiseddatatothirdparties 17

2.6Implicationsfortherightsofthedatasubjects 19

2.7Unauthorisedreversalofpseudonymisation 19

3Technicalmeasuresandsafeguardsforpseudonymisation 20

3.1Pseudonymisingtransformation 20

3.1.1Structureofthepseudonymisingtransformation 20

3.1.2Typesofpseudonymisingtransformations 21

3.1.3Modificationoforiginaldatanecessaryfortheobjectivesofpseudonymisation 22

3.1.4Pseudonymisationinthecourseofdatacollection 23

3.2Technicalandorganisationalmeasurespreventingunauthorisedattributionofpseudonymised

datatoindividuals 24

3.2.1Preventingreversalofthepseudonymisingtransformation 24

3.2.2Securingthepseudonymisationdomain 25

3.3Linkingpseudonymiseddata 25

3.3.1Controllingthescopeforthelinkageofpseudonymiseddata 26

3.3.2Linkingdatapseudonymisedbydifferentcontrollers 27

3.4Summaryofproceduresforpseudonymisation 29

Annex-ExamplesoftheApplicationofPseudonymisation 31

Example1:Dataminimisationandconfidentialityininternalanalysis 31

Example2:Separationoffunctionsallowingfordataminimisation,purposelimitation,and

confidentiality 32

Example3:Dataminimisationandpurposelimitationinthecourseofexternalanalysis 34

Example4:Safeguardingidentity-confidentialityandaccuracy 36

Adopted-versionforpublicconsultation6

Example5:Secondaryuseforresearch 37

Example6:Reductionofconfidentialityrisks 39

Example7:Riskreductionasafactorinthebalancingofinterests,andascertainmentofcompatibility

ofpurposes 40

Example8:Riskreductionjustifyingfurtherprocessing 42

Example9:Supplementarymeasure 43

Example10:Grantingaccessrightstopseudonymiseddata 45

Glossary 45

Adopted-versionforpublicconsultation7

TheEuropeanDataProtectionBoard

HavingregardtoArticle70(1)(e)oftheRegulation2016/679/EUoftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC,(hereinafter“GDPR”),

HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended

bytheDecisionoftheEEAjointCommitteeNo154/2018of6July201

83,

HavingregardtoArticle12andArticle22ofitsRulesofProcedure,

HASADOPTEDTHEFOLLOWINGGUIDELINES

1INTRODUCTION

1.Theseguidelinesintendtoclarifytheuseandbenefitsofpseudonymisationforcontrollersandprocessors.

2.TheGDPRdefinestheterm‘pseudonymisation’forthefirsttimeinEUlawandreferstoitseveraltimesasasafeguardthatmaybeappropriateandeffectiveforthefulfilmentofdataprotectionobligations.EUandMemberStatelawisrelyingonthatdefinitionwhenrequiringorrecommendingtheuseofpseudonymisation,see,e.g.,Art.17(1)(g)ofRegulation(EU)2023/2854orArt.44(3)oftheEuropeanCommission’sProposalforaRegulationontheEuropeanHealthDataSpac

e4.

3.Art.4(5)GDPRdefinespseudonymisationasamannerofprocessingwithprescribedeffectsandcallsforcertainmeasuresbywhichthoseeffectsaretobeachieved.

4.Thedesiredeffectofpseudonymisationistocontroltheattributionofpersonaldatatospecificdatasubjectsbydenyingthisabilitytosomepersonsorparties.TheGDPRdoesnotspecifywhothosepersonsorpartiesaretobe,leavingit–absentspecificrequirementsbyotherEUorMemberStatelaw–tothecontroller’sdecision.Recital29makesclearthat,whenthepseudonymisationiscarriedoutwithinthesamecontroller,theeffectsmightbeconfinedtospecificpartsofthecontroller’sorganisation.

5.Therearethreeactionscontrollersshouldtaketoachievethedesiredeffect.First,theyneedtomodifyor

transform5

thedata.Second,theyneedtokeepadditionalinformationforattributingthepersonaldatatoaspecificdatasubjectseparately,i.e.separatefromthosewhoaretobepreventedfromachievingsuchanattribution.Last,theyneedtoapplytechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Inparticular,theyneedtopreventtheunauthoriseduseofthe

3Referencesto“MemberStates”madethroughoutthisdocumentshouldbeunderstoodasreferencesto“EEAMemberStates”.

4See

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0197.

5Theguidelinesusetheterms“transform”and“transformation”torefertoamodificationofthedataforpseudonymisationandfitnessforsubsequentprocessinginpseudonymisedform.

Adopted-versionforpublicconsultation8

additionalinformationtheycontrolandcontroltheflowofpseudonymiseddatatotheextentpossible.

6.Pseudonymisationasatechnicalmeasurefortheprotectionoftheprivacyofindividualshasbeenaroundforalongtime.Thecommonunderstandingofpseudonymisationinvolvesthereplacementofidentifiersofindividualsbypseudonyms.Inthisprocess,thepseudonymsaretobechoseninawaythattheydonotrevealtheidentityoftheindividualtheyareassignedto.ThelegaldefinitionpresentedbytheGDPRdiffersfromthatunderstandinginthreesignificantways.

7.First,thelegaldefinitiontakesamorecomprehensiveviewoftheeffectofpseudonymisation.Itshallnolongerbepossibletoattributethepersonaldatatoaspecificdatasubjectwithouttheuseofadditionalinformation.Thisrequiresalookatallpartsofthepersonaldata,notonlythepseudonyms.

8.Second,itdoesnotevenexplicitlyrequirethereplacementofdirectidentifier

s6

bypseudonyms.Itisclearthatdirectidentifiersneedtoberemovedfromdataifthosedataarenottobeattributedtoindividuals.Moreover,Art.4(5)GDPRprovidesfortheretentionofadditionalinformationthatallowsattributionofthedatatoindividuals.Duringattribution,alinkwillbemadebetweenthedataorpartsthereoftoidentifiersoftheindividuals.Thislinkwillusually,butnotnecessarily,startwithpseudonymsinsertedintothedata,preciselywiththeaimofallowingforattributioninauthorisedcircumstances.

9.Third,itrequiresmorethanjustthetransformationofdata.Itrequiresadditionaltechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Typicallysuchmeasureslimitaccesstotheretainedadditionalinformation(e.g.keysortablesofpseudonyms),andcontroltheflowofpseudonymiseddata.

10.Theseguidelineswillfirsthaveacloserlookatthelegaldefinitionofpseudonymisationandthetermsusedtherein.Whatisattribution?Whatistobeconsideredadditionalinformation?Akeyaspectevolvingfromthisanalysisarethemanyoptionsforcontrollerstotailortheirpseudonymisationprocessestotheobjectivestheyintendtoachieve.Theguidelinesintroduceanewconcept,calledpseudonymisationdomain,tocaptureoneaspectofthatfreedom:todeterminewhoshouldbeprecludedfromattributingthepseudonymiseddatatoindividuals.

11.Inasecondstep,theguidelinesshowhowcontrollersandprocessorscanusepseudonymisationtomeetdata-protectionrequirements.Whilepseudonymisationisapowerfulandrelevantmeasure,thedocumentshowsthatitwillalwaysneedtobecomplementedbyfurthermeasures.TheGuidelineshighlightthebenefitsofpseudonymisation.Theyshowinparticularhowpseudonymisationservesasameasurefordataprotectionbydesignandbydefault,andasameasurecontributingtoensuringalevelofsecurityappropriatetotheriskofprocessing.Atleastinthelattercase,theeffectofpseudonymisationwillhavetobemeasuredagainstthecapabilitiesofpersonsorpartiesactingwithoutauthorisation.

12.Inathirdpart,theguidelineswilllookattheimplementationofpseudonymisation.Howshouldpersonaldatabetransformedtopseudonymiseit?Howshouldunauthorisedattributionbeprevented?Howshoulddifferentpseudonymiseddatasetsbelinked,andhowcouldsuchlinkagebecontrolled?

6Seethedefinitionofthistermintheglossary.

Adopted-versionforpublicconsultation9

13.Oftenitisimportanttolookbeyondtheconfinesoftheorganisationofasinglecontrollerpseudonymisingthedata.Personaldataisfrequentlypseudonymisedbeforeitissharedwithothercontrollersortoprocessorstolimittherisksinvolvedinthatsharing.Pseudonymiseddatacomingfromdifferentcontrollersmightneedtobebroughttogetherandlinked.Or,incontrast,differentdatasetsneedtobepseudonymisedinawaythatassuresthattheycannotbelinked.

14.Theguidelinesclosewithasummaryofproceduresforpseudonymisation,whichispresentednotasaprescription,butasguidanceforthestepscontrollersandprocessorscouldtaketoensurethatthepseudonymisationtheyimplementiseffective.

15.Annexedtotheguidelines,thereaderswillfindseveralexamplesshowingtheuseof

pseudonymisationtolimitrisksfordatasubjectsinreallifescenarios.

2DEFINITIONSANDLEGALANALYSIS

2.1Legaldefinitionofpseudonymisation

16.PseudonymisationisdefinedinArt.4(5)GDPRas“theprocessingofpersonaldatainsuchamannerthatthepersonaldatacannolongerbeattributedtoaspecificdatasubjectwithouttheuseofadditionalinformation,providedthatsuchadditionalinformationiskeptseparatelyandissubjecttotechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.”

17.Toattributedatatoaspecific(identified)personmeanstoestablishthatthedatarelatetothatperson.Toattributedatatoanidentifiablepersonmeanstolinkthedatatootherinformationwithreferencetowhichthenaturalpersoncouldbeidentified.Suchalinkcouldbeestablishedonthebasisofoneorseveralidentifiersoridentifyingattributes.

18.Pseudonymisationgenerallyrequirestheapplicationofapseudonymisingtransformation.Thisisaprocedurethatmodifiesoriginaldatainawaythattheresult—thepseudonymiseddata—cannotbeattributedtoaspecificdatasubjectwithoutadditionalinformation.Thepseudonymisingtransformationmayandregularlydoesreplacepartoftheoriginaldatawithoneorseveralpseudonyms—newidentifiersthatcanbeattributedtodatasubjectsonlyusingadditionalinformation.Fordetails,seesection

3.1.1.

TheseguidelineswillcallcontrollersthatusepseudonymisationasasafeguardandmodifyoriginaldataaccordingtoArt.4(5)GDPRpseudonymisingcontrollers.Similarterminologyisusedforprocessors.

19.Additionalinformationisinformationwhoseuseenablestheattributionofpseudonymiseddatatoidentifiedoridentifiablepersons.Thegeneration,oruseofadditionalinformationisaninherentpartofthepseudonymisingtransformation.

20.Itincludesinformationthatisretainedaspartofthepseudonymisationprocessforconsistentpseudonymisationofdifferentitemsofpersonaldatarelatingtothesamedatasubjectandinformationthatiskepttobeusedforlaterreversalofpseudonymisation.Suchadditionalinformationmayconsistoftablesmatchingpseudonymswiththeidentifyingattributestheyreplace.Itmayalsoconsistofcryptographickeys.Additionalinformationkeptbyapseudonymisingcontrollerorprocessormustbesubjecttotechnicalandorganisationalmeasurestoensurethatthepersonaldataarenotattributedtoanidentifiedoridentifiablenaturalperson.Inparticular,theadditionalinformationisnottobedisclosedtoorusedbypersonsprocessing

Adopted-versionforpublicconsultation10

thepseudonymiseddata.SuchadditionalinformationmayitselfbepersonaldataandsoalsosubjecttotheGDPR.

21.Additionalinformationmayalsoexistbeyondtheimmediatecontrolofthepseudonymisingcontrollerorprocessor.Thepseudonymisingcontrollerorprocessorshouldtakesuchinformationintoaccountintheassessmentoftheeffectivenessofpseudonymisationtotheextentsuchinformationcanreasonablybeexpectedtobeavailable.Forexample,informationfrompubliclyaccessiblesources,suchaspostsinasocialmediaoranonlineforum,maycontributetotheattributionofpseudonymiseddatatodatasubjects.Thisassessmentwillhelpdetermineifanyfurthermeasuresneedtobeimplementedtoavoidattribution.

22.Pseudonymiseddata,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformation,istobeconsideredinformationonanidentifiablenaturalperson

,7

andisthereforepersonal.Thisstatementalsoholdstrueifpseudonymiseddataandadditionalinformationarenotinthehandsofthesameperson.Ifpseudonymiseddataandadditionalinformationcouldbecombinedhavingregardtothemeansreasonablylikelytobeusedbythecontrollerorbyanotherperson,thenthepseudonymiseddataispersonal.Evenifalladditionalinformationretainedbythepseudonymisingcontrollerhasbeenerased,thepseudonymiseddatabecomesanonymousonlyiftheconditionsforanonymityaremet.

23.Pseudonymisationisatechnicalandorganisationalmeasurethatallowscontrollersandprocessorstoreducetheriskstodatasubjectsandmeettheirdata-protectionobligations,forexampleunderArt.25or32GDPR.Therefore,ifacontrollerprocessespersonaldataandappliespseudonymisationintheprocess,thenthelegalbasisfortheprocessingofthepersonaldataextendstoallprocessingoperationsneededtoapplythepseudonymisingtransformation.

24.UnionorMemberStatelawmayrequirepseudonymisationofpersonaldatafortheprocessingofpersonaldatainspecificsituations,e.g.whenprovidingforalegalbasisunderArt.6(1)(c)or(e)GDPRinaccordancewithArt.6(3)GDPR,orasafurtherconditioninaccordancewithArt.9(4)GDPR.Insuchcases,thelawmayalsolaydownspecificrequirementsthepseudonymisationprocessoroutputhastomeet,ortheobjectivesitshouldachieve.

25.Whensuchspecificmandatesforpseudonymisationareabsent,controllersthemselvesmaydefinetheobjective

s8

thatpseudonymisationshouldachieve.Thoseobjectivesmaybeconnectedwiththeprocessingtheyintendtoperformthemselvesorwithanysubsequentprocessingofthepseudonymiseddatabyrecipientsofthosedata.

2.2Objectivesandadvantagesofpseudonymisation

26.InaccordancewithRec.28GDPR,pseudonymisingdatareducesrisksfordatasubjectswhileallowinggeneralanalysis.

2.2.1Riskreduction

27.Pseudonymisationreducesconfidentialityriskswhendoneeffectively,whichpresumesthattheadditionalinformationreferredtoinparagraph

20

aresubjecttothemeasuresprovidedinArt.

7Rec.26GDPR.

8Theseguidelinesdistinguishbetweenthe

purposeoftheprocessingofpersonaldataaccordingtoArt.5(1)(b)

GDPR,andtheobjectiveofasafeguardlike

pseudonymisationemployedduringthatprocessing,whichconsists

inacertainaspectofthefulfilmentofdata

protectionobligations.

Adopted-versionforpublicconsultation11

4(5)GPDR.Itdoessointwoways.First,itpreventsthedisclosureofdirectidentifiersofdatasubjectstosomeoralllegitimaterecipientsofthepseudonymiseddata.Second,intheeventofunauthorizeddisclosureoraccesstodatathathasbeeneffectivelypseudonymised,pseudonymisationcanreducetheseverityoftheresultingconfidentialityriskandtheriskofnegativeconsequencesofsuchdisclosureoraccesstothedatasubjects,providedthatthepersonstowhomthedataisdisclosedarepreventedfromaccessingadditionaldata.

28.Pseudonymisationcanreducerisksoffunctioncreep,i.e.theriskthatpersonaldataisfurtherprocessedinamannerthatisincompatiblewithpurposesforwhichitwascollected.Thisisbecauseprocessorsorpersonsactingundertheauthorityofthecontrolleroroftheprocessor,whohaveaccesstothepseudonymiseddata,arenotabletousethosedataforpurposeswhosefulfilmentrequiresattributiontothedatasubjects.Inparticular,thisconcernspurposeswhosefulfilmentrequiresanydirectinteractionwiththedatasubjects.

29.Finally,dependingonthetechniquesused,assigningwidelydifferingpseudonymstopersonswithverysimilaridentifyingattributes,maynotonlyenhanceconfidentiality,butalsoreduceriskstoaccuracyofthedatabyreducingtheriskofincorrectlyattributingdataorobjectstothewrongdatasubjects

.9

30.Theeffectivenessoftheimplementationofpseudonymisationdeterminestheextentofthereductionofrisksforthedatasubjectsandthebenefitsthecontrollersmayderivefromit,includingthefulfilmentofdata-protectionobligationsaccordingtoArt.24,25and32GDPR,seesections

2.4.1

and

2.4.2

below.

2.2.2Analysisofpseudonymiseddataandplannedattribution

31.Pseudonymiseddatacanoftenbeusefullyanalysedsince,inlargepart,theinformationcontentoftheoriginaldatacanstillbeevaluated.Moreover,theinsertionofpseudonymsenablesthelinkageofvariousrecordsofpseudonymiseddatarelatingtothesamepersonwithouttheneedtouseadditionalinformation

.10

32.Aftertheanalysishasbeenperformed,pseudonymisationmaybepartiallyorcompletelyreversedby

a.identifyingthedatasubject,

b.linkingpseudonymisedtooriginaldata,or

c.reconstitutingoriginaldatafrompseudonymiseddata

usingadditionalinformationkeptbythecontrollerforthatpurpose(plannedattribution).Thisreversalshouldbeperformedbypersonsspecificallyauthorisedforthispurpose,asperRec.29GDPR.Underthesameconditions,pseudonymisationmayalsobereversedinindividualcasesduetosingularcircumstancesapplyingtothem,whilecontinuingtoprocessthebulkofthedatabydefaultinapseudonymisedmanner.SeeExample3intheannex.

9SeeExample4intheannex

10Suchlinkagemightberequiredandlawfulonlyundercertainconditions.However,controllerscanshapethepseudonymisationtransformationinawaythatlimitstheabilitytolinkvariousitemsofpseudonymiseddataaccordingly,